In a win for privacy advocates, the FCC voted this morning to place new restrictions on internet providers that limit the information they can share about their subscribers.

When the rules go into place, likely sometime early next year, internet providers will be required to get explicit permission from subscribers before sharing “sensitive” information about them, such as their browsing history, their app usage, their location, and the content of emails and other communications.

This is all particularly revealing data, and none of it has been governed by FCC privacy rules until now. That means internet providers have been able to share or sell it to their partners, who might have used the information to advertise their own products and services to those customers.

INTERNET PROVIDERS CAN’T FORCE YOU INTO SHARING SENSITIVE DATA

Medical and financial information will also be restricted by these rules, as will social security numbers and information on children. Any information that isn’t covered by these categories can still be shared by internet providers unless consumers actively opt-out.

Internet providers will be required to inform customers of any information they’re collecting and update them anytime that changes.

“It is the consumer’s information,” FCC chairman Tom Wheeler said before today’s vote. “How it is used should be the consumer’s choice, not the choice of some corporate algorithm.”

The rules also require that internet providers “take reasonable measures” to secure customers’ sensitive information. There are no specifics here — just guidelines — but they’re generally meant to ensure that security procedures are responsible and up to date. In the event of a breach, affected customers will have to be notified within 30 days.

In theory, rules are also in place to ensure that internet providers can’t force consumers to opt into sharing. The FCC will prohibit internet providers from refusing to serve customers who don’t agree. But it might still allow internet providers to charge customers more if they refuse to opt in. That’s something that could become pretty controversial — and there doesn’t appear to be any clear rules governing the practice.

THE FCC WILL REVIEW ANY ATTEMPTS TO CHARGE CUSTOMERS FOR PRIVACY

Instead, the FCC simply says that it’ll review any instances of this — essentially, privacy fees — on a case-by-case basis. The commission said earlier this month that “consumers should not be forced to choose between paying inflated prices and maintaining their privacy,” so it sounds like the agency’s current leadership doesn’t intend to allow much of this to happen. But it seems that the rules may be vague enough that future leadership could let privacy fees slide.

Even without customers’ permission, there’s still one way that internet providers will be able to share their data: anonymously. The FCC will allow sharing to occur without permission so long as internet providers anonymize the data “so that it can’t be reasonably linked to a specific individual or device” and contractually prohibit partners from attempting to identify who that data belongs to.

That means your web browsing information could still be shared — but, in theory, it won’t be linked to you or your computer.

The rules, first proposed in a preliminary form back in March, passed in a 3-to-2 vote. They’ll go into place after being published in the Federal Register, likely a few months from now.